WiFi “Hole196″: major exploit or much ado about little?

A widely reported WiFi vulnerability is significant, but its bark is far worse …

Because every user has the GTK, and because the GTK can be used in this fashion, there's no protection against this misuse. "A malicious node presenting to the network also has possession of the GTK," said Md. Sohail Ahmad, a senior security researcher at AirTight responsible for documenting this weakness.

Once clients are compromised, those clients will use their own PTKs to encrypt traffic to the AP with a destination of the ersatz gateway. The AP will happily handle that client-to-client transaction, without the malicious party receiving any private key material, just as if the two clients were engaged in routine data transfer. "By injecting one packet and encrypting it with GTK, the malicious insider is able to decrypt traffic from a legitimate user," said Ahmad.

The fake gateway can capture, scan, and forward any cleartext information that would have gone across the network, which could include e-mail, files being transferred, and other internal network activity. While these kinds of tasks might be encrypted for remote access (using a VPN or client/server SSL session protection), it's not yet routine to protect these services inside a firm, although it's becoming more common.

ARP poisoning also allows DNS cache poisoning, and can be used to defeat certain SSL protections that rely on accurate DNS information. Many man-in-the-middle attacks benefit from a combination of a malicious gateway and poisoned DNS.

By using an over-the-air approach for ARP poisoning or similar broadcast-based attacks, in which the access point ignores the broadcast packet and it's not forwarded to the wired network segment, AirTight maintains that the attack is relatively undetectable by current intrusion protection and defense systems (IPS/IDS).

A few difficulties for the attack

But will this attack have a real impact on the enterprises that use it? The security experts I spoke to said that while Hole196 represents a legitimate concern, it doesn't buy attackers greater access than they would already have today, and comes with a few difficulties as well.

I can do the same attack by sitting down next to you and plugging into another port on your [Ethernet] switch. I can cause a wired system to cause all its traffic to redirect through me. This is the same attack, but through wireless.

For starters, beyond the requirement of being an authorized user or gaining illegitimate access to an account, an attacker has to be near an AP, and the attack only works on an AP-by-AP basis. Broadcasts are limited to the clients connected to an AP, and, even further, to a specific virtual SSID on a network that's divided for security or other purposes into multiple WiFi networks. (An outsider with insider credentials could use a high-gain antenna from further away, but that's not guaranteed to work, and might only allow communication with an AP, but not clients, which have weaker receive sensitivity.)

If a network uses client isolation, in which the AP declines to relay unicast traffic between two clients, then the GTK spoofing exploit can only be used for one-way exploits, AirTight noted. End-point security installed on individual computers can also be configured to note when certain flags are raised, including identifying potential ARP poisoning attacks, a sudden change in gateway, or malicious one-way attacks.

Pinning down the attacker might be difficult, since the originator address is spoofed, but because the attacker must be in proximity, or have compromised another machine associated with the AP, a company can find and shut down the source, even if that starts with disabling the AP.

Fundamentally, however, Hole196 sits between two network monitoring scenarios. In the first and more typical, a network isn't so highly monitored that ARP poisoning and other attacks happening via wired machines or via a WiFi client that's not using a GTK-encrypted broadcast would be noticed. Many corporations focus their efforts on the edge, and put less-trusted parties (like contractors and visitors) on separate VLANs and virtual SSIDs.

As Matthew Gast, the chair of the WiFi Alliance's Security Technical Task Group, said, "I can do the same attack by sitting down next to you and plugging into another port on your [Ethernet] switch. I can cause a wired system to cause all its traffic to redirect through me. This is the same attack, but through wireless." Gast is the director of product management at Aerohive, an enterprise wireless hardware firm.

The second scenario is a network that is so locked down and monitored that no one can lift a finger without that finger's motion being detected. In such a case, the initial GTK-based attacks might go unnoticed, but when a behavior change is affected, such as the ARP mapping changing or clients suddenly shifting their traffic to a gateway (which might be spoofing multiple IP addresses), that will trigger alarms.

In either case, Hole196 provides only one component of undetectability. With a less-monitored network, easier methods are available. With a heavily monitored network, anything beyond the initial steps will be spotted. "For every scenario I hear, it's more effective to bribe somebody, or use network access in a different way," Gast told Ars.

For most IT departments, Hole196 won't change the way you work, although you might check your various settings, and look into monitoring ARP poisoning a little more seriously in a general way, because changing ARP has become a fundamental approach in a large class of activities.

But unlike the Tews/Beck TKIP exploit we wrote about in November 2008 (see "Battered, but not broken: understanding the WPA crack"), which allowed spoofed short packet injections undetectably into TKIP-protected networks in certain circumstances, Hole196 seems unlikely to provoke any major changes in operations, systems, or specifications.

Despite all disclaimers I've made about the seriousness of this exploit's vector, every vendor of enterprise WiFi hardware and intrusion protection software and hardware will revise their offerings, and fast, to add tools or alerts to monitor for GTK abuse. It can't easily be patched, but it can be monitored relatively easily, because any client sending broadcast packets is now suspect.